WebApp Sec mailing list archives
RE: IIS log - GETs vs. POSTs
From: Guille -bisho- <bisho () onirica com>
Date: 02 Sep 2003 00:07:19 +0200
Yes. On the net all the HTTP protocol goes encripted. SSL just provides a secure chanel for a normal HTTP request. But in the log files the GET params of https connections are logged, so if the server results compromised, that data is fully accesible, even backwards.
That is incorrect. Here is the transactional model: Client hello -> <- Server hello <- Server certificate <- serverHelloDone ClientKeyExchange E(Kserv, PK) -> ChangeCipherSpec -> FIN Handshake (MAC) -> <- ChangeCipherSpec <- FIN Hanshake (MAC) Application_data HTTP request -> (GET /?data HTTP/1.0\n\n) <- Application_data HTTP response (HTTP/1.1 200 OK\n...) Alert : close_notify -> <- Alert : close_notify
-- bisho! _ -=] 01/09/2003 [=- _ ^( ) _ ( ( ) ) \ \___,,, ( ) / _____ >- ( :: ) >==- '. |::| , >==- \\::// [ PAZ SI, GUERRA NO ]
Current thread:
- Fw: IIS log - GETs vs. POSTs Matt Fisher (Aug 30)
- Re: IIS log - GETs vs. POSTs Jeremy Poteet (Aug 30)
- Re: IIS log - GETs vs. POSTs RSnake (Aug 30)
- Re: IIS log - GETs vs. POSTs Lucas Holt (Aug 30)
- Re: IIS log - GETs vs. POSTs RSnake (Aug 31)
- Re: IIS log - GETs vs. POSTs RSnake (Aug 30)
- Re: IIS log - GETs vs. POSTs Jeremy Poteet (Aug 30)
- <Possible follow-ups>
- RE: IIS log - GETs vs. POSTs Calderon, Juan C (EM, DDEMESIS) (Sep 01)
- RE: IIS log - GETs vs. POSTs RSnake (Sep 01)
- RE: IIS log - GETs vs. POSTs Guille -bisho- (Sep 01)
- RE: IIS log - GETs vs. POSTs RSnake (Sep 01)
- RE: IIS log - GETs vs. POSTs RSnake (Sep 01)